public Date getNextUpdate() {
if (c.getNextUpdate() != null) {
return c.getNextUpdate().getDate();
}
return null;
}
private CRL getCRL() throws CRLException {
if (sCrlData == null || sCrlDataObjectCount >= sCrlData.size()) {
return null;
}
return createCRL(CertificateList.getInstance(sCrlData.getObjectAt(sCrlDataObjectCount++)));
}
public byte[] getTBSCertList() throws CRLException {
try {
return c.getTBSCertList().getEncoded("DER");
} catch (IOException e) {
throw new CRLException(e.toString());
}
}
public byte[] getEncoded() throws CRLException {
try {
return c.getEncoded(ASN1Encoding.DER);
} catch (IOException e) {
throw new CRLException(e.toString());
}
}
/**
* Checks whether the given certificate is on this CRL.
*
* @param cert the certificate to check for.
* @return true if the given certificate is on this CRL, false otherwise.
*/
public boolean isRevoked(Certificate cert) {
if (!cert.getType().equals("X.509")) {
throw new RuntimeException("X.509 CRL used with non X.509 Cert");
}
TBSCertList.CRLEntry[] certs = c.getRevokedCertificates();
X500Name caName = c.getIssuer();
if (certs != null) {
BigInteger serial = ((X509Certificate) cert).getSerialNumber();
for (int i = 0; i < certs.length; i++) {
if (isIndirect && certs[i].hasExtensions()) {
Extension currentCaName =
certs[i].getExtensions().getExtension(Extension.certificateIssuer);
if (currentCaName != null) {
caName =
X500Name.getInstance(
GeneralNames.getInstance(currentCaName.getParsedValue())
.getNames()[0]
.getName());
}
}
if (certs[i].getUserCertificate().getValue().equals(serial)) {
X500Name issuer;
try {
issuer =
org.bouncycastle.asn1.x509.Certificate.getInstance(cert.getEncoded()).getIssuer();
} catch (CertificateEncodingException e) {
throw new RuntimeException("Cannot process certificate");
}
if (!caName.equals(issuer)) {
return false;
}
return true;
}
}
}
return false;
}
// unsigned CRLs at the root of CMS structure (outside signerInfos)
public Collection<CRL> getUnsignedCRLs() {
try {
Collection<CertificateList> crlCollection = cmsSignedData.getCRLs().getMatches(null);
// Then we need to "cast" from bouncycastle.CertificateList to java.CRL
Collection<CRL> x509CrlsCollection = new HashSet<CRL>(crlCollection.size());
for (CertificateList certList : crlCollection) {
x509CrlsCollection.add(
CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
.generateCRL(new ByteArrayInputStream(certList.getEncoded())));
}
return x509CrlsCollection;
} catch (Exception e) {
ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
}
return null;
}
private CRL readPEMCRL(InputStream in) throws IOException, CRLException {
ASN1Sequence seq = PEM_CRL_PARSER.readPEMObject(in);
if (seq != null) {
return createCRL(CertificateList.getInstance(seq));
}
return null;
}
static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolean silent)
throws NoSuchAlgorithmException, CRLException, InvalidKeyException, SignatureException {
if (crl instanceof X509CRLObject) {
final CertificateList crlList = (CertificateList) getCertificateList(crl);
final AlgorithmIdentifier tbsSignatureId = crlList.getTBSCertList().getSignature();
if (!crlList.getSignatureAlgorithm().equals(tbsSignatureId)) {
if (silent) return false;
throw new CRLException(
"Signature algorithm on CertificateList does not match TBSCertList.");
}
final Signature signature = getSignature(crl.getSigAlgName(), securityProvider);
signature.initVerify(publicKey);
signature.update(crl.getTBSCertList());
if (!signature.verify(crl.getSignature())) {
if (silent) return false;
throw new SignatureException("CRL does not verify with supplied public key.");
}
return true;
}
try {
crl.verify(publicKey);
return true;
} catch (NoSuchAlgorithmException ex) {
if (silent) return false;
throw ex;
} catch (CRLException ex) {
if (silent) return false;
throw ex;
} catch (InvalidKeyException ex) {
if (silent) return false;
throw ex;
} catch (SignatureException ex) {
if (silent) return false;
throw ex;
} catch (NoSuchProviderException e) {
if (isDebug()) e.printStackTrace();
throw new RuntimeException(e); // unexpected - might hide a bug
}
}
public X509CRLObject(CertificateList c) throws CRLException {
this.c = c;
try {
this.sigAlgName = X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm());
if (c.getSignatureAlgorithm().getParameters() != null) {
this.sigAlgParams =
((ASN1Encodable) c.getSignatureAlgorithm().getParameters())
.toASN1Primitive()
.getEncoded(ASN1Encoding.DER);
} else {
this.sigAlgParams = null;
}
this.isIndirect = isIndirectCRL(this);
} catch (Exception e) {
throw new CRLException("CRL contents invalid: " + e);
}
}
public void verify(PublicKey key, String sigProvider)
throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
SignatureException {
if (!c.getSignatureAlgorithm().equals(c.getTBSCertList().getSignature())) {
throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList.");
}
Signature sig;
if (sigProvider != null) {
sig = Signature.getInstance(getSigAlgName(), sigProvider);
} else {
sig = Signature.getInstance(getSigAlgName());
}
sig.initVerify(key);
sig.update(this.getTBSCertList());
if (!sig.verify(this.getSignature())) {
throw new SignatureException("CRL does not verify with supplied public key.");
}
}
private Set loadCRLEntries() {
Set entrySet = new HashSet();
Enumeration certs = c.getRevokedCertificateEnumeration();
X500Name previousCertificateIssuer = c.getIssuer();
while (certs.hasMoreElements()) {
TBSCertList.CRLEntry entry = (TBSCertList.CRLEntry) certs.nextElement();
X509CRLEntryObject crlEntry =
new X509CRLEntryObject(entry, isIndirect, previousCertificateIssuer);
entrySet.add(crlEntry);
if (isIndirect && entry.hasExtensions()) {
Extension currentCaName = entry.getExtensions().getExtension(Extension.certificateIssuer);
if (currentCaName != null) {
previousCertificateIssuer =
X500Name.getInstance(
GeneralNames.getInstance(currentCaName.getParsedValue()).getNames()[0].getName());
}
}
}
return entrySet;
}
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
Enumeration certs = c.getRevokedCertificateEnumeration();
X500Name previousCertificateIssuer = c.getIssuer();
while (certs.hasMoreElements()) {
TBSCertList.CRLEntry entry = (TBSCertList.CRLEntry) certs.nextElement();
if (serialNumber.equals(entry.getUserCertificate().getValue())) {
return new X509CRLEntryObject(entry, isIndirect, previousCertificateIssuer);
}
if (isIndirect && entry.hasExtensions()) {
Extension currentCaName = entry.getExtensions().getExtension(Extension.certificateIssuer);
if (currentCaName != null) {
previousCertificateIssuer =
X500Name.getInstance(
GeneralNames.getInstance(currentCaName.getParsedValue()).getNames()[0].getName());
}
}
}
return null;
}
private CRL readDERCRL(ASN1InputStream aIn) throws IOException, CRLException {
ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
if (seq.size() > 1 && seq.getObjectAt(0) instanceof ASN1ObjectIdentifier) {
if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) {
sCrlData =
SignedData.getInstance(
ASN1Sequence.getInstance((ASN1TaggedObject) seq.getObjectAt(1), true))
.getCRLs();
return getCRL();
}
}
return createCRL(CertificateList.getInstance(seq));
}
public byte[] getExtensionValue(String oid) {
Extensions exts = c.getTBSCertList().getExtensions();
if (exts != null) {
Extension ext = exts.getExtension(new ASN1ObjectIdentifier(oid));
if (ext != null) {
try {
return ext.getExtnValue().getEncoded();
} catch (Exception e) {
throw new IllegalStateException("error parsing " + e.toString());
}
}
}
return null;
}
private Set getExtensionOIDs(boolean critical) {
if (this.getVersion() == 2) {
Extensions extensions = c.getTBSCertList().getExtensions();
if (extensions != null) {
Set set = new HashSet();
Enumeration e = extensions.oids();
while (e.hasMoreElements()) {
ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) e.nextElement();
Extension ext = extensions.getExtension(oid);
if (critical == ext.isCritical()) {
set.add(oid.getId());
}
}
return set;
}
}
return null;
}
public Principal getIssuerDN() {
return new X509Principal(X500Name.getInstance(c.getIssuer().toASN1Primitive()));
}
/**
* Returns a string representation of this CRL.
*
* @return a string representation of this CRL.
*/
public String toString() {
StringBuffer buf = new StringBuffer();
String nl = System.getProperty("line.separator");
buf.append(" Version: ").append(this.getVersion()).append(nl);
buf.append(" IssuerDN: ").append(this.getIssuerDN()).append(nl);
buf.append(" This update: ").append(this.getThisUpdate()).append(nl);
buf.append(" Next update: ").append(this.getNextUpdate()).append(nl);
buf.append(" Signature Algorithm: ").append(this.getSigAlgName()).append(nl);
byte[] sig = this.getSignature();
buf.append(" Signature: ").append(new String(Hex.encode(sig, 0, 20))).append(nl);
for (int i = 20; i < sig.length; i += 20) {
if (i < sig.length - 20) {
buf.append(" ").append(new String(Hex.encode(sig, i, 20))).append(nl);
} else {
buf.append(" ")
.append(new String(Hex.encode(sig, i, sig.length - i)))
.append(nl);
}
}
Extensions extensions = c.getTBSCertList().getExtensions();
if (extensions != null) {
Enumeration e = extensions.oids();
if (e.hasMoreElements()) {
buf.append(" Extensions: ").append(nl);
}
while (e.hasMoreElements()) {
ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) e.nextElement();
Extension ext = extensions.getExtension(oid);
if (ext.getExtnValue() != null) {
byte[] octs = ext.getExtnValue().getOctets();
ASN1InputStream dIn = new ASN1InputStream(octs);
buf.append(" critical(").append(ext.isCritical()).append(") ");
try {
if (oid.equals(Extension.cRLNumber)) {
buf.append(
new CRLNumber(ASN1Integer.getInstance(dIn.readObject()).getPositiveValue()))
.append(nl);
} else if (oid.equals(Extension.deltaCRLIndicator)) {
buf.append(
"Base CRL: "
+ new CRLNumber(
ASN1Integer.getInstance(dIn.readObject()).getPositiveValue()))
.append(nl);
} else if (oid.equals(Extension.issuingDistributionPoint)) {
buf.append(IssuingDistributionPoint.getInstance(dIn.readObject())).append(nl);
} else if (oid.equals(Extension.cRLDistributionPoints)) {
buf.append(CRLDistPoint.getInstance(dIn.readObject())).append(nl);
} else if (oid.equals(Extension.freshestCRL)) {
buf.append(CRLDistPoint.getInstance(dIn.readObject())).append(nl);
} else {
buf.append(oid.getId());
buf.append(" value = ").append(ASN1Dump.dumpAsString(dIn.readObject())).append(nl);
}
} catch (Exception ex) {
buf.append(oid.getId());
buf.append(" value = ").append("*****").append(nl);
}
} else {
buf.append(nl);
}
}
}
Set set = getRevokedCertificates();
if (set != null) {
Iterator it = set.iterator();
while (it.hasNext()) {
buf.append(it.next());
buf.append(nl);
}
}
return buf.toString();
}
public String getSigAlgOID() {
return c.getSignatureAlgorithm().getAlgorithm().getId();
}
public byte[] getSignature() {
return c.getSignature().getBytes();
}
public Date getThisUpdate() {
return c.getThisUpdate().getDate();
}
public PKCS12SafeBagBuilder(CertificateList crl) throws IOException {
this.bagType = PKCSObjectIdentifiers.crlBag;
this.bagValue =
new CertBag(PKCSObjectIdentifiers.x509Crl, new DEROctetString(crl.getEncoded()));
}
public int getVersion() {
return c.getVersionNumber();
}
